How to Handle DSARs in Google Workspace
A practical guide to handling DSARs in Google Workspace: where personal data lives across Gmail, Drive, Calendar, and Chat, and how to use Google Vault and Admin Console for compliant data exports.
Last updated: 2026-07-05
Google Workspace Is a DSAR Minefield
If your organization runs on Google Workspace, personal data is everywhere. Gmail inboxes, Google Drive folders, Calendar entries, Chat messages, Google Meet recordings, Forms responses, Contacts, Keep notes — data about individuals is scattered across dozens of services, and most of it is not organized in a way that makes extraction straightforward.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the GDPR, UK GDPR, and CCPA, as well as Google Workspace functionality as of the date of publication. Google may update its tools and interfaces at any time.
When a DSAR lands in your inbox, you need to know exactly where to look, which tools to use, and where the gaps are. This guide walks through the practical process of handling a DSAR in Google Workspace, from locating data to exporting it in a usable format.
For the broader DSAR workflow process, see our DSAR workflow guide.
Where Personal Data Lives in Google Workspace
Before you can respond to a DSAR, you need to know where to search. Here is a breakdown of the main Google Workspace services and the types of personal data each one holds.
Gmail
Gmail is typically the largest source of personal data in any Google Workspace deployment. Inboxes contain:
- Email content — the body of messages sent to and from the data subject
- Attachments — documents, images, and files exchanged via email
- Metadata — sender, recipients, timestamps, subject lines, IP addresses
- Contact information — email addresses and names embedded in correspondence
- Drafts and sent mail — including messages the user may have forgotten about
- Spam and Trash — items not yet permanently deleted
For a detailed look at the challenges of searching employee inboxes, see our guide on DSARs and email.
Google Drive
Drive stores documents, spreadsheets, presentations, and files that may contain personal data:
- Documents and spreadsheets — these often contain names, contact details, notes about individuals, and other personal data
- Shared files — files shared with or by the data subject
- File metadata — who created a file, who viewed or edited it, and when
- Comments and suggestions — which may reference individuals by name
- Shared drives — organizational drives where personal data may exist in shared contexts
Google Calendar
Calendar entries can contain personal data:
- Event details — meeting titles, descriptions, and notes
- Attendee lists — who was invited and their response status
- Location data — meeting locations, including room bookings
- Attachments — files attached to calendar events
Google Chat and Spaces
Chat messages and Spaces (formerly Rooms) hold:
- Direct messages — one-to-one conversations
- Group messages — multi-person conversations
- Spaces content — threaded discussions in team channels
- Shared files and links — content shared within chats
Google Meet
Meet can generate personal data through:
- Meeting recordings — if recorded, stored in the organizer's Drive
- Attendance reports — who joined and when
- Chat messages within meetings — real-time chat during video calls
Other Services
- Google Forms — responses submitted by or about the data subject
- Google Contacts — contact records and associated notes
- Google Keep — notes that may reference individuals
- Google Sites — internal sites that may contain personal data
- Google Groups — mailing list memberships and message archives
- Admin Console logs — login activity, device information, and user audit trails
Tools for Data Export
Google Workspace provides two main tools for extracting data: the Admin Console's data export feature and Google Vault. They serve different purposes and have different capabilities.
Admin Console Data Export
The Admin Console allows super administrators to export all data for all users in the organization. This is a broad tool designed for organization-wide data portability, not for targeted DSAR responses.
Capabilities:
- Exports data from all core services (Gmail, Drive, Calendar, etc.)
- Covers all users in the organization
- Data is delivered as downloadable archive files
Limitations:
- It is an all-or-nothing export — you cannot export data for a single user or filter by search criteria
- The export process can take days for large organizations
- You still need to search through the exported data to find information related to a specific individual
- Not suitable for targeted DSAR responses without significant post-processing
Google Vault
Google Vault is the purpose-built eDiscovery and data governance tool within Google Workspace. It is far more useful for DSAR purposes than the Admin Console export.
Capabilities:
- Search by user — target specific accounts
- Search by keyword — find messages and files containing specific terms (such as a data subject's name or email address)
- Search by date range — limit results to a specific time period
- Search across services — Gmail, Drive, Chat, Groups, Meet, Sites, and Voice
- Place legal holds — preserve data that might otherwise be deleted
- Export results — download search results in standard formats (MBOX for email, native formats for Drive files)
- Audit trail — Vault logs all searches and exports, which is useful for demonstrating compliance
Limitations:
- Requires a Vault license — Vault is included with Business Plus, Enterprise, Education Fundamentals, and Education Plus editions. It is not available on Business Starter or Business Standard without an add-on.
- Does not cover all services equally — Calendar data, for example, has limited Vault support. Keep and Contacts are not directly searchable in Vault.
- Search is keyword-based — Vault does not understand context. A search for "John Smith" will return every email and document mentioning any John Smith, not just the data subject. You will need to review and filter results manually.
- No automated redaction — Vault exports raw data. Redacting third-party information is a manual process.
- Chat search limitations — Chat messages in Vault may not include all message types or reactions depending on your Workspace edition and settings.
Step-by-Step DSAR Process in Google Workspace
Step 1: Identify the Data Subject Across Your Systems
Determine how the data subject exists in your Google Workspace environment. Are they:
- An employee or former employee (with a Google Workspace account)?
- An external contact (whose data appears in your employees' emails, documents, and calendars)?
- A customer or client (whose data may be in CRM-related documents, shared drives, or correspondence)?
This distinction matters because the search approach differs. For an internal user, you can search their account directly. For an external individual, you need to search across all relevant accounts for mentions of their name, email address, and other identifiers.
Step 2: Conduct Vault Searches
If you have Google Vault, this is your primary search tool. Create a matter (Vault's term for a case or project) and run searches across:
- Gmail — search for the data subject's email address, name, and any known aliases or identifiers. Search across all custodians (employees) whose accounts might contain relevant data.
- Drive — search for documents containing the data subject's name or other identifiers. Include shared drives.
- Chat — search for direct messages and Spaces conversations involving or mentioning the data subject.
- Groups — search Google Groups archives for messages from or about the data subject.
For each search, set appropriate date ranges. If the data subject has specified a time period, use that. If not, search all available data.
Step 3: Export the Results
Export search results from Vault. For Gmail, Vault exports in MBOX format (which can be opened with email clients or converted to other formats). For Drive, files are exported in their native formats.
Review the export settings:
- Choose whether to include metadata
- Decide on the file format for Drive exports (native Google formats will be converted to Microsoft Office or PDF equivalents)
- For large exports, Vault splits results into multiple files
Step 4: Search Outside Vault's Coverage
Vault does not cover everything. You will need to manually check:
- Google Calendar — review the data subject's calendar (if they are an internal user) or search for events mentioning them. Calendar data may need to be exported using Google Takeout (for the user's own data) or reviewed manually in the Admin Console.
- Google Contacts — check contact records for entries related to the data subject.
- Google Keep — review notes for mentions of the data subject. Keep is not searchable via Vault.
- Google Forms — check form responses for submissions from or about the data subject.
- Admin Console audit logs — review login and activity logs if relevant to the request.
Step 5: Review and Redact
This is the most time-consuming step. Review all exported data and:
- Identify personal data belonging to the data subject
- Redact third-party information — remove or obscure personal data about other individuals unless disclosure is appropriate
- Apply exemptions — withhold data that is covered by a legitimate exemption (legal privilege, ongoing investigations, etc.)
- Document your decisions — record what was included, what was redacted, and what was withheld, with reasons
For detailed guidance on redacting third-party data, see our guide on third-party data in DSARs.
Step 6: Compile and Deliver the Response
Assemble the data into a clear, organized format. Group data by source (Gmail, Drive, Calendar, etc.) and include a covering letter that provides the supplementary information required by the applicable regulation — purposes of processing, categories of recipients, retention periods, and the data subject's rights.
Deliver the response securely. Do not send large volumes of personal data via unencrypted email. Use a secure file-sharing method or encrypted archive.
Gaps in Google Workspace Tooling
Google Workspace is not built for DSAR compliance. It is built for productivity. Several gaps make the DSAR process harder than it needs to be:
- No unified personal data search — there is no single tool that searches all Workspace services for all data related to a specific individual
- Limited Calendar and Contacts coverage in Vault — these services require manual searches
- No automated redaction — all third-party data must be identified and redacted manually
- No DSAR workflow management — Vault handles search and export, but there is no built-in workflow for tracking requests, managing deadlines, or documenting decisions
- Cross-service references are hard to trace — a document linked in an email that was discussed in a Chat message and attached to a Calendar event requires three separate searches to capture completely
For organizations handling regular DSAR volume, supplementing Google Workspace with a dedicated DSAR management tool can significantly reduce the manual effort. See our DSAR software comparison for options.
If You Do Not Have Google Vault
If your Workspace edition does not include Vault, your options are more limited:
- Google Takeout — individual users can export their own data using Google Takeout. If the data subject is an internal user, this captures most of their own data. For former employees whose accounts have been deleted, Takeout is not available.
- Admin Console reports — provide some activity and audit data but are not a substitute for Vault's search capabilities.
- Manual searches — without Vault, you may need to search individual accounts manually, which is time-consuming and difficult to document comprehensively.
If you handle DSARs with any regularity, Vault is worth the investment. The alternative is hours of manual searching with limited ability to demonstrate that your search was comprehensive.
References
- Google Vault Help Center: Google Vault documentation
- Google Workspace Admin Help: Data export tool
- Google Takeout: User data export
- GDPR Article 15: Right of access. GDPR Article 15
- UK GDPR: ICO guidance on the right of access. ICO right of access guidance
Last reviewed: July 2026. Google Workspace features and editions change. Verify current tool availability and functionality against Google's official documentation. Consult qualified legal counsel before making compliance decisions for your business.
Related Guides
- DSARs in SharePoint and Microsoft 365 — the Microsoft equivalent
- DSARs and Email: Searching Inboxes — the email-specific challenge
- Building a DSAR Workflow — end-to-end process design
Simplify Your DSAR Process
Our DSAR Compliance Guide includes system-by-system search checklists and process templates designed for organizations using cloud productivity suites like Google Workspace.